Authorization Check at Field Level

You can use this function to determine which actions a user can execute for specific fields in a business transaction, such as a sales- or service order. You can for example, allow specific users to change the fields in a business transaction. It is therefore possible to allow only those employees with special authorization to change quantities retroactively after the sales order has been delivered.

In addition, you can use the authorization check not only for individual fields, but also for a business transaction component's entire table entry, such as order item, partner, and transaction history. This enables an advanced and targeted authorization check.

You can influence the following user actions (modes) by using the authorization check:

Create
Display
Change
Delete

The Create and Delete modes are only available when using the entire business transaction component. As a result, you cannot enter field names in the IMG activity Define Authorization Group.

When you choose the Display and Change modes, you must specify a field name to which the action should relate.

Caution Caution

You can hide fields for certain users by using the Display mode for the appropriate field (see prerequisites) in the IMG activity Define Authorization Group in Customizing. This is only supported by CRM E-Commerce.

You can find more information about the use of this function in CRM E-Commerce in the SAP Implementation Guide (IMG), under Start of the navigation path Customer Relationship Management Next navigation step Web Channel Basic Settings Define Authorizations End of the navigation path .

End of the caution.

Prerequisites

You have created an authorization with reference to authorization object CRM_FLDCHK, assigned this authorization to an authorization profile, and assigned this profile to the corresponding user.

Note

When you create the authorization with reference to the authorization object CRM_FLDCHK , you can only specify one value (whole number) for the Authorization Level field. The authorization check cannot process ranges (for example, 1 –12) or multiple values (for example, 5,7,9).

End of the note.
You have defined authorization groups in Customizing and assigned fields to them. An authorization group is a type of field group, and consists of a collection of fields. You make the entries for this in Customizing for Customer Relationship Management, under Basic Functions Authorizations Define Authorization Group .

Note

For performance reasons, you should determine the rules for the authorization check carefully. Only use the asterisk value (*, = all transaction types) in the IMG activity Maintain Authorizations at Field Level, in the columns Transaction Type and Item Category, if all the transaction types or item categories should be analyzed for this authorization rule in the authorization check.

End of the note.
You have assigned an authorization level for each authorization group in Customizing in connection with the key fields transaction type, item category, and delivery status. You make these entries manually in Customizing for Customer Relationship Management, at Basic Functions Authorizations Maintain Authorizations at Field Level . You fill the control table CRMM_AUTH_FIELD with these entries.

Caution

Control table CRMM_AUTH_FIELD is created as a master data table, and therefore cannot be transported. For this reason, you should maintain this control table in your productive system.

End of the caution.

Features

When you have made the necessary settings in Customizing for SAP CRM, the system performs the authorization check at field level when processing a sales transaction.

To be able to perform an authorization check at field level, the system analyzes specific information during the check. This includes:

Key fields (transaction type, item category, and delivery status) that control whether the rule can be applied.
The rule is only applied if the values of the key fields in the transaction agree with those of the key fields in the control table CRMM_AUTH_FIELD.
Authorization level from the authorization object of the user. The user receives a specific authorization level via an authorization object. The authorization object contains the following fields:
- Activity
- Authorization group
- Authorization level
Other entries in the control table, such as authorization group and authorization level for each authorization group.

In the authorization check, the system analyzes the control table CRMM_AUTH_FIELD and checks whether the authorization level from the control table is higher or lower than the authorization level in the user's authorization object. If the user’s authorization level in his or her authorization object is at least as high as the authorization level in the control table, he or she is permitted to overwrite the field. If his or her authorization level is lower than that in the control table, he or she cannot change the field.

If a field is assigned to multiple authorization groups, then all the authorization groups are checked independently of each other. The user must have authorization for all the authorization groups in the required level. If the control table does not contain any data, the authorization check is not carried out.

Adding Additional Key Fields

You can use a Business Add-In (BAdI) to make further fields available for the authorization check at field level. The Transaction Type, Item Category, and Delivery Status fields are shipped for this purpose as standard. If you want to use more fields (which you have added to the control table CRMM_AUTH_FIELD) for the authorization check, you can calculate the values of these additional fields with this BAdI and transfer them to the authorization check.

For more information, see the Implementation Guide (IMG) at Start of the navigation path Customer Relationship Management Next navigation step Basic Functions Authorizations Define Authorization Groups End of the navigation path and Business Add-In for Checking Fields.

Caution Caution

If you have added additional key fields, you must assign an asterisk to them in the IMG activity Maintain Authorizations at Field Level. This is the only way to ensure that the rules previously created for the authorization check are correctly analyzed by the system.

End of the caution.

Example

Simple Example for "Change Fields" Authorization

a) Customizing Settings in the IMG Activity Define Authorization Group

Definition of authorization group 0001 – Authorization group 0001 consists of the following fields:

Quantity
Customizing Data

Object Name

Logical Key

Field Name

Mode

SCHEDLN

No entry

QUANTITY

Change
Unit of Measurement
Customizing Data

Object Name

Logical Key

Field Name

Mode

PRODUCT_I

No entry

PROCESS_QTY_UNIT

Change

Definition of authorization group 0002 – Authorization group 0002 consists of the following fields:

Pricing Date
Customizing Data

Object Name

Logical Key

Field Name

Mode

PRICING

No entry

PRICE_DATE

Change
Price Lists
Customizing Data

Object Name

Logical Key

Field Name

Mode

PRICING

No entry

PRICE_LIST

Change

b) Customizing Settings in the IMG Activity Maintain Authorizations at Field Level

The following entries are maintained in the control table CRMM_AUTH_FIELD:

Entries in the Control Table

Transaction Type	Item Category	Authorization Group	Authorization level
TA	TAN	0001	15
TA	TAN	0002	10

c) Authorization Object CRM_FLDCHK

The user has the following authorizations:

Authorization group 0001	Authorization level 6
Authorization group 0002	Authorization level 12

d) Outcome from Sample Data

When the user creates a sales order with transaction type TA and item category TAN, he or she cannot change the fields of authorization group 0001 (Quantity and Unit of Measure), as he or she only has authorization level 6 for this, and this value is below authorization level 15 from the control table. The user can, however, change the fields of authorization group 0002 in the order (Pricing Date and Price List), as he or she has authorization level 12, which is above authorization level 10 from the control table.

More Complex Examples for Business Transaction Components

Order Item (ORDERADM_I)
You can allow users to change or display the individual fields of business transaction component Order Item (ORDERADM_I), but only in CRM E-Commerce. In the IMG activity Define Authorization Group for example, choose the following entries:

Object Name

Logical Key

Field Name

Mode

ORDERADM_I

No entry

ITM_TYPE

Change or Display

You can allow the creation or deletion of order items for the entire business transaction component. In the IMG activity Define Authorization Group for example, choose the following entries:

Object Name

Logical Key

Field Name

Mode

ORDERADM_I

No entry

No entry

Create or Delete
Partner (PARTNER)
You can allow users to change or display the individual fields of business transaction component PARTNER, but only in CRM E-Commerce. In the IMG activity Define Authorization Group for example, choose the following entries:

Object Name

Logical Key

Field Name

Mode

PARTNER

00000002

CITY

Change or Display

You can allow the creation or deletion of partners in the business transaction for the entire business transaction component. In the IMG activity Define Authorization Group for example, choose the following entries:

Object Name

Logical Key

Field Name

Mode

PARTNER

No entry

No entry

Create or Delete

With the assignment of a logical key, you can make the authorization check even more detailed for entire subobjects or fields of a subobject in a business transaction component.

For example, you can permit only a specific authorization group to change the corresponding fields of object Partner that exclusively relate to the partner function Ship-To Party (logical key: 00000002). In the IMG activity Define Authorization Group for example, choose the following entries:

Object Name

Logical Key

Field Name

Mode

PARTNER

00000002

No entry

Create or Delete

PARTNER

00000002

CITY

Change or Display

Note

If there is no logical key available for the entire business transaction component or for part of it, the rule is valid for all subobjects. For example, for the object Partner, the rule is valid for all partner functions.

If you select the field ADDR_NR for the business transaction component PARTNER and the logical key 00000002, you can prevent unauthorized users from being able to change the complete delivery address in the sales order.

End of the note.
Transaction History (DOC_FLOW)
You can control actions for campaigns and trade promotions by using the object Transaction History, and thereby determine whether a specific authorization group can change or display a campaign or trade promotion. (Only supported in CRM E-Commerce). In the IMG activity Define Authorization Group for example, choose the following entries:

Object Name

Logical Key

Field Name

Mode

DOC_FLOW

BUS2010020

OBJKEY_A

Change or Display

If you have activated the function Multiple Campaigns or Trade Promotions, you can then use this function to influence whether specific users can create or delete campaigns or trade promotions. In the IMG activity Define Authorization Group, choose the following entries:

Object Name

Logical Key

Field Name

Mode

DOC_FLOW

BUS2010020

No entry

Create or Delete

The logical key BUS2010020 is valid for all campaign-business-object types: campaigns, campaign elements, trade promotions, or trade promotion elements.

Object Name	Logical Key	Field Name	Mode
SCHEDLN	No entry	QUANTITY	Change